HIPAA - Time Limit 164.316(b)(2)(i)

Overview:
Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.

Action Items:
1) Obtain and review documentation of policies and procedures for compliance with retention requirements.
2) Obtain and review documentation demonstrating that policies and procedures are being maintained for six (6) years from the date of its creation or the date when it last was in effect.
3) Obtain and review documentation demonstrating that an action, activity, or assessment is being maintained for six (6) years from the date of its creation or the date when it last was in effect. Evaluate and determine if such implementation is in accordance with related policies and procedures.

Related Documents:
1) Documentation of policies and procedures for compliance with retention requirements.
2) Documentation demonstrating that policies and procedures are being maintained for six (6) years from the date of its creation or the date when it last was in effect.
3) Documentation demonstrating that an action, activity, or assessment is being maintained for six (6) years from the date of its creation or the date when it last was in effect.

Additional Guidance:
This six-year period must be considered the minimum retention period for required documentation under the Security Rule. Some organizations may choose to keep their documentation longer based on state law, requirements of accreditation organizations, or other business reasons.